DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1 Week Ago
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 3
Default Route some ip addresses outside VPN

Hello I’m a new member to this forum but i have used it a lot before i became a member.

I have a router with pfSense but would like to change it in favor for OpenBSD pf .

My setup looks like this.

ISP **** ROUTER **** AP

I run one Openvpn client on the router so that all machines on the wifi AP goes through the vpn.

Now comes the problem i would want some of the clients ip addresses to be routed through wan (without VPN) i have tried different routing alternatives but i haven’t find anything that works.
Everything else seems to work even the "killswitch".


Here is my pf.conf any suggestions on optimizations would also be appreciated
thanks in advance !!
Code:
ext_if = "em0"              # External interface
int_if = "em1"              # Internal interface
vpn_if = "tun0"             # Vpn interface


table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
		   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \ 			          203.0.113.0/24 }


set block-policy drop
set loginterface $ext_if 
set skip on lo0  



match in all scrub (no-df random-id max-mss 1440)


match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
match out on $vpn_if inet from ($int_if:network) to any nat-to ($vpn_if:0)


block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

block all
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state



block quick on $ext_if tagged NO_WAN_EGRESS
#block return out quick on $ext_if tagged NO_WAN_EGRESS

pass out quick inet
#pass in on $int_if inet

Last edited by ocicat; 1 Week Ago at 07:43 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #2   (View Single Post)  
Old 6 Days Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,732
Default

Hello, and welcome!
Quote:
...i would want some of the clients ip addresses to be routed through wan (without VPN)..
At the moment, your configuration blocks all traffic originating on $int_if (em1) from transiting $ext_if (em0), as all traffic originating on $int_if is tagged NO_WAN_EGRESS.

Since tags are "sticky" you could add another pass rule with a different tag immediately following the first pass rule, such as:
Code:
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state
pass in from address tag WAN_EGRESS_IS_OK
The address could be a single address, a set of addresses in a list, or a table of addresses. (Note: "to any" and "keep state" are defaults.)

For more on tags, see the pf.conf(5) man page and the packet tagging chapter of the PF User's Guide.

Last edited by jggimi; 6 Days Ago at 01:51 PM. Reason: typo
Reply With Quote
  #3   (View Single Post)  
Old 6 Days Ago
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 3
Default

Thanks for the tips jggimi i will use your rule.

But that won’t change the VPN issue, i have tried before without the NO_WAN_EGRESS rules to force 1 ip address to
be routed through the wan (to use my ISP ip not vpn) but whenever a VPN client is running on the server it changes its default route.
I have searched forums and OpenBSD manuals but haven’t really find a solution that works .
Reply With Quote
  #4   (View Single Post)  
Old 6 Days Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,732
Default

Perhaps I'm confused. I understood your issue to be to with passing traffic for a device on the local network that is NOT using your VPN. If that is the case, then its routing table should not be affected.

I'm not an OpenVPN user so am unable to offer specific provisioning advice for it.
Reply With Quote
  #5   (View Single Post)  
Old 6 Days Ago
afdruiprek afdruiprek is offline
New User
 
Join Date: Jun 2017
Posts: 3
Default

Its probably my explanation that is bad, English isn’t my first language.

The VPN client is running on the Router and all machine on the local network that is connected through LAN is getting the VPN providers ip address.

If i turn off the VPN client all machines will get my ISP ip address therefore the NO_WAN_EGRESS rule
so if the VPN goes down no traffic vill pass

What i want is that 1 ore more machines on the LAN to not be routed through VPN (use ISP ip address) and all the others uses VPN .

I hope you will understand me now.
Reply With Quote
  #6   (View Single Post)  
Old 6 Days Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,732
Default

You'll need to adjust the OpenVPN client configuration so that it excludes the specific device or devices.
Reply With Quote
Reply

Tags
vpn;pf;client;routing;openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN No Route To Host Peter_APIIT OpenBSD Security 10 18th September 2015 03:05 AM
Route to enc0 WeakSauceIII OpenBSD Security 11 1st June 2015 07:40 PM
No Route to Host rtwingfield FreeBSD Installation and Upgrading 9 25th May 2015 03:05 AM
route on openbsd hpabsdbeginner1 OpenBSD General 2 15th April 2014 07:17 PM
How to add static route using virtual NIC bsdplus Solaris 1 22nd August 2010 02:10 AM


All times are GMT. The time now is 10:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick